CVE-2026-14151: Inappropriate implementation in AI in Google Chrome prior to 150
Inappropriate implementation in AI in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- 150.0.7871.47
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A sandbox escape vulnerability exists in the AI subsystem of Google Chrome versions prior to 150.0.7871.47. An attacker who has already compromised the Chrome renderer process can exploit this flaw remotely by serving a crafted HTML page to a victim, breaking out of the browser sandbox and gaining capabilities outside the normally isolated rendering environment. Successful exploitation gives the attacker high-impact read, write, and denial-of-service control over confidential data, application integrity, and service availability. A patched-image rebuild at version 150.0.7871.47 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-14151 is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against all customer registry images and CI/CD pipeline stages, including custom-built Chrome-based container images. Any image running a Chrome version below 150.0.7871.47 is flagged automatically.
AvailableHarborGuard triage capability applies the CVSS 3.1 score of 9.6 (Critical) to findings for this CVE, weighted against each customer organization's per-environment compliance policy, and routes alerts to the appropriate team inbox based on configured severity thresholds and ownership rules.
AvailableA patched-image rebuild targeting Chrome 150.0.7871.47 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the victim over the network by delivering a crafted HTML page, making internet or intranet exposure to untrusted content a prerequisite.
- AuthenticationNot required
No authentication is needed; the attacker only needs the victim to load a malicious page, with no account or credential barrier in place.
- Victim interactionRequired
The victim must visit or be directed to a crafted HTML page, meaning some degree of social engineering or link delivery is required to trigger the exploit.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors, provided the renderer process has already been compromised.
Blast Radius
- Attacker breaks out of the Chrome browser sandbox, gaining execution capabilities in the host process context beyond the isolated renderer.
- Confidential data accessible to the browser process, including stored credentials, session tokens, and local files, becomes readable by the attacker.
- The attacker can modify application state or persisted data reachable from the escaped sandbox context, including browser profile data and locally cached content.
- The attacker can crash or destabilize the affected service, causing denial of availability for the browser instance and dependent workloads.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-14151 is active across all connected environments, matching images against the affected Chrome version range on every ingest cycle. Where compliance policy permits, a patched-image rebuild at Chrome 150.0.7871.47 is queued automatically upon detection. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression test run, and opens a pull request against affected workloads; for critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Customers without auto-remediation receive a prioritized finding with fix-version details and can trigger the rebuild manually from the HarborGuard dashboard.
Fix available
- Google / Chrome< 150.0.7871.47 (from 150.0.7871.47)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H